CVE-2026-57945

Source
https://cve.org/CVERecord?id=CVE-2026-57945
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-57945.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-57945
Published
2026-06-29T17:18:05.557Z
Modified
2026-07-16T03:31:03.482187458Z
Severity
  • 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
PhotoPrism - Unauthorized User Profile Modification via PUT /api/v1/users/{uid} Endpoint
Details

PhotoPrism before 260601-a7d098548 contains a broken access control vulnerability that allows authenticated non-admin users to modify other users' profile information by sending requests to arbitrary user endpoints. Attackers can exploit the missing session-to-user identifier validation in the PUT users API endpoint to overwrite another user's profile details without authorization.

Database specific
{
    "cwe_ids": [
        "CWE-639"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/57xxx/CVE-2026-57945.json",
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/photoprism/photoprism

Affected ranges

Type
GIT
Repo
https://github.com/photoprism/photoprism
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "260601-a7d098548"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "DESCRIPTION",
        "REFERENCES"
    ]
}

Affected versions

Other
210102-af71e5f7
210104-7f9e806a
210111-cc05c430
210119-a5399f06
210120-e7cd5e9a
210121-07e559df
210128-a82061e0
210208-9e10ba69
210211-b9595dd4
210216-4939e36a
210217-49039368
210222-ac5a9d5e
210422-97e75b04
210426-da6e948f
210505-d3e53a89
210518-80981c25
210519-24b5c7e6
210520-4b32bac7
210523-b1856b9d
210925-96168e4b
211002-bf015326
211007-8f55d6f8
211009-d6cc8df5
211010-83b4f783
211018-e200f322
211127-86c43159
211128-7e8974fd
211130-13cfcf6d
211203-fdb6b5e1
211210-2cb90e7e
211215-93b26f19
220107-f5b7ef83
220118-76c94a1f
220121-2b4c8e1f
220302-0059f429
220517-b9c68f8f
220524-c76de0df
220527-005770ca
220528-efb5d710
220614-dea9ff68
220617-0402b8d3
220629-5d7448d2
220728-729ddd920
220730-0e1222c83
220901-f493607b0
221102-905925b4d
221103-211eb36ea
221104-20d180b21
221105-7a295cab4
221116-122ebfb70
221117-3268c4de8
221118-e58fee0fb
230502-c405f6eff
230504-cbf48798c
230506-9de9a3540
230513-0b780defb
230603-378d4746a
230607-9e086c7eb
230615-90a18f6e7
230625-17242fb07
230719-73fa7bbe8
230923-e59851350
231011-63f708417
231021-9abea5b55
231128-f48ff16ef
240420-ef5f14bc4
240523-923ee0cf7
240528-977d6c0de
240531-60b3a4628
240711-2197af848
240915-e1280b2fb
250223-b79d21907
250224-834c16bc7
250228-43447fa38
250321-57590c48b
251130-b3068414c
260305-fad9d5395
260523-0544f71c1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-57945.json"